Cisco Firewall

  • Admin
  • 08:45
  • 213 Views

Next-Generation Firewall (NGFW)

A firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules.Firewalls have been a first line of defense in network security for over 25 years. They establish a barrier between secured and controlled internal networks that can be trusted and untrusted outside networks, such as the Internet.

A firewall can be hardware, software, or both.

Types

Proxy firewall

An early type of firewall device, a proxy firewall serves as the gateway from one network to another for a specific application. Proxy servers can provide additional functionality such as content caching and security by preventing direct connections from outside the network. However, this also may impact throughput capabilities and the applications they can support.

Stateful inspection firewall

Now thought of as a “traditional” firewall, a stateful inspection firewall allows or blocks traffic based on state, port, and protocol. It monitors all activity from the opening of a connection until it is closed. Filtering decisions are made based on both administrator-defined rules as well as context, which refers to using information from previous connections and packets belonging to the same connection.

Unified threat management (UTM) firewall

A UTM device typically combines, in a loosely coupled way, the functions of a stateful inspection firewall with intrusion prevention and antivirus. It may also include additional services and often cloud management. UTMs focus on simplicity and ease of use.

 

Next-generation firewall (NGFW)

Firewalls have evolved beyond simple packet filtering and stateful inspection. Most companies are deploying next-generation firewalls to block modern threats such as advanced malware and application-layer attacks.

According to Gartner, Inc.’s definition, a next-generation firewall must include:

  • Standard firewall capabilities like stateful inspection
  • Integrated intrusion prevention
  • Application awareness and control to see and block risky apps
  • Upgrade paths to include future information feeds
  • Techniques to address evolving security threats

While these capabilities are increasingly becoming the standard for most companies, NGFWs can do more.

Compare industry NGFWs.

Threat-focused NGFW

These firewalls include all the capabilities of a traditional NGFW and also provide advanced threat detection and remediation. With a threat-focused NGFW you can:

  • Know which assets are most at risk with complete context awareness
  • Quickly react to attacks with intelligent security automation that sets policies and hardens your defenses dynamically
  • Better detect evasive or suspicious activity with network and endpoint event correlation
  • Greatly decrease the time from detection to cleanup with retrospective security that continuously monitors for suspicious activity and behavior even after initial inspection
  • Ease administration and reduce complexity with unified policies that protect across the entire attack continuum

Learn about our threat-focused next-generation firewalls (NGFWs).

Compare industry NGFWs.

 

Advanced defenses for advanced attacks

Block more threats and quickly mitigate those that do breach your defenses with the industry’s first threat-focused NGFW. Our Cisco Firepower NGFW appliances combine our proven network firewall with the industry’s most effective next-gen IPS and advanced malware protection. All so you can get more visibility, be more flexible, save more, and protect better/

 

Find the best next-generation firewall

ASA 5500-X with FirePOWER Services

Small business, branch office, enterprise, Firewall throughput from 256 Mbps to 15 Gbps, Threat inspection from 125 Mbps to 30 Gbps, Stateful firewall, AVC, NGIPS, AMP, URL

Stop more threats with the threat-focused 5500-X NGFW

Beat sophisticated cyber attacks with a superior security appliance. We offer the industry’s first threat-focused next-generation firewall (NGFW), the ASA 5500-X Series.

Superior multilayered protection

Stay more secure. This NGFW has earned the highest security effectiveness scores in third-party testing for both NGIPS and AMP, blocking 99.4% and 99.2% of threats, respectively. Get the NSS Labs [NGIPS report] and AMP report.

Simplified management and lower costs

Get visibility into and control over activity across your network. Gain insight into users, apps, devices, threats, files, and vulnerabilities. Extend protection from the data center to mobile devices. It’s all possible with our Firepower Management Center.

Unified security services and task automation

Our integrated approach to threat defense reduces capital and operating costs as well as administrative complexity by consolidating multiple security services in a single platform. Automate security tasks to increase agility and speed remediation.

Wide range of sizes and form factors

We have the platform for you: standalone options for small and midsize businesses, ruggedized appliancesfor extreme environments, midsize appliances for security at the Internet edge, and high-performance appliances for enterprise data centers.

5500-X Series Models

ASA 5506-X with FirePOWER Services

Up to 300 Mbps FW
Multiservice capable
8 x 1 GE
Desktop

ASA 5506W-X with FirePOWER Services

Up to 300 Mbps FW
Multiservice capable
8 x 1 GE
Desktop with WAP

ASA 5508-X with FirePOWER Services

Up to 500 Mbps FW
Multiservice capable
8 x 1 GE
1 RU

ASA 5516-X with FirePOWER Services

Up to 900 Mbps FW
Multiservice capable
8 x 1 GE
1 RU

ASA 5525-X with FirePOWER Services

Up to 1 Gbps FW
Multiservice capable
8 X 1 GE
1 RU

ASA 5555-X with FirePOWER Services

Up to 2 Gbps FW
Multiservice capable
8 X 1 GE
1 RU

ASA 5585-X with FirePOWER SSP-20

Up to 5 Gbps FW
Up to 3.5 Gbps IPS
8 X 1 GE + 2 x 10 GE
2 RU

ASA 5585-X with FirePOWER SSP-60

Up to 20 Gbps FW
Up to 10 Gbps IPS
6 X 1 GE + 4 x 10 GE
2 RU

 

Firepower 4100 Series

Internet edge, high-performance environments, Firewall throughput from 20 Gbps to 60 Gbps, Threat inspection from 10 Gbps to 20 Gbps, Stateful firewall, AVC, NGIPS, AMP, URL

Better security, faster speeds, smaller footprint

Stop more threats with our fully integrated next-generation firewall (NGFW) appliance. The 4100 Series’ 1-rack-unit size is ideal at the Internet edge and in high-performance environments. It shows you what’s happening on your network, detects attacks earlier so you can act faster, and reduces management complexity.

Threat-focused NGFW

Get granular application control. Protect against malware. Gain insight into and control over threats and vulnerabilities. Shrink time to detection and remediation. Reduce complexity with a single management interface.

Performance and density optimized

Key capabilities include support for 1/10/40 Gigabit Ethernet interfaces, up to 60 Gbps stateful firewall throughput, low latency, and a 1 RU form factor.

Integrates with Cisco and third-party solutions

Further strengthen your defenses. Share intelligence, context, and policy controls by integrating other Cisco networking and security solutions.

Unified management

Reduce complexity and simplify operations. Consolidate all security functions in a single management interface. It automatically prioritizes security events, recommends tailored security protections, and tracks and contains malware infections.

Models

Firepower 4110

Up to 20 Gbps
Multiservice capable
1/10/40 GE
1 RU

Firepower 4120

Up to 40 Gbps
Multiservice capable
1/10/40 GE
1 RU

Firepower 4140

Up to 60 Gbps
Multiservice capable
1/10/40 GE
1 RU

 

Firepower 9000 Series

Modular security platform for service providers 

This carrier-grade next-generation firewall (NGFW) is ideal for data centers and other high-performance settings that require low latency and high throughput. Deliver scalable, consistent security to workloads and data flows across physical, virtual, and cloud environments. With tightly integrated services, the Firepower 9000 Series lowers costs and supports open, programmable networks.

Scalable multiservice security

Eliminate security gaps. Integrate and provision multiple Cisco and Cisco partner security services dynamically across the network fabric. See and correlate policy, traffic, and events across multiple services.

Expandable security modules

Flexibly scale your security performance. Meet business agility needs and enable rapid provisioning.

Carrier-grade performance

NEBS-compliant configurations available. Elevate threat defense and network performance with low-latency, large flow handling, and orchestration of security services. Protect Evolved Programmable Network, Evolved Services Platform, and Application Centric Infrastructure architectures.

Models

Firepower 9300

1.2 Tbps clustered throughput
10/40/100 Gb Network Interfaces
57 million concurrent connections, with application control
500,000 new connections per second
Security services options: AVC, NGIPS, AMP, URL Filtering, DDos Mitigation

 

Next-Generation Intrusion Prevention System (NGIPS)

Get better protection against today’s sophisticated attacks. Stop more threats, gain more insight into your environment, and protect your digital business initiatives. Cisco Firepower Next-Generation IPS (NGIPS) threat appliances combine superior visibility, embedded security intelligence, automated analysis, and industry-leading threat effectiveness.

Real-time contextual awareness

If you can’t see it, you can’t protect it. Gain deep insight into your network devices, applications, users, operating systems, files, and more. Use this information to better understand network behavior, identify out-of-compliance situations, and evaluate intrusion events.

Advanced threat protection

Address known and unknown threats through fully integrated advanced malware protection (AMP) and sandboxing solutions. Rapidly detect, block, contain, and remediate advanced threats. Our median time to detection (MTTD) is an industry-leading 13 hours.

Global threat intelligence

Get up-to-the-minute threat protection through Cisco’s worldwide threat visibility and analysis organization. Their efforts result in more than 35,000 vulnerability-focused IPS rules, advanced malware detections, and embedded IP-based, URL-based, and DNS-based security intelligence.

Intelligent security automation

Correlate threat events with the intended target’s vulnerabilities to prioritize the threats that matter most. Analyze your network vulnerabilities to identify needed security policies. Associate users with our intrusion events to speed investigations. Do more with less staff.

High-performance appliances

Cisco Firepower (4100 Series and 9000 Series) and FirePOWER (7000 Series and 8000 Series) appliances are purpose-built to provide the right throughput, modular design, and carrier-class scalability. They incorporate a low-latency, single-pass design and include fail-to-wire interfaces.

 

 

Find the best NGIPS

Cisco Firepower NGIPS is available on many appliance models and in both physical and virtual form factors. Choose the best option for your use case and throughput needs.

FirePOWER 8000 Series

  • Designed for campus and enterprise deployments
  • Threat inspection up to 60 Gbps
  • Stackable scalability
  • Fail-to-wire interfaces available

Enterprise Threat Protection and Performance

Cisco FirePOWER 8000 Series Appliances deliver industry-best threat protection as the high-performance platform for the Cisco FirePOWER next-generation intrusion prevention system (NGIPS) solution. Our enterprise-level network security appliances provide multi-layered threat protection at high inspection throughput rates with a low cost of ownership.

Security You Can Count On

Optimized for network security processing, the Cisco FirePOWER 8000 Series provides the multi-layered threat protection organizations need to deal with today’s evolving threat landscape at the speeds enterprises require.

With the Cisco FirePOWER NGIPS solution, the Cisco FirePOWER 8000 Series sets a new standard for advanced threat protection. It integrates real-time contextual awareness, full-stack visibility, and intelligent security automation for industry-leading security effectiveness.

The NGIPS threat protection solution is centrally managed through the Cisco Firepower Management Center and can be further expanded with optional subscription licenses to add:

The result? Security you can count on combined with reliable performance and a low total cost of ownership.

Easily Change Interface Configurations

Instead of the usual fixed port configuration of most high-end security appliances, the modularity of the 8000 Series Appliances allows you to choose and change the number and type of network interfaces for the appliance. Various network modules (NetMods) are inserted into Cisco FirePOWER 8000 Series Appliances to customize the interface configuration to match your network requirements.

Virtual Security

The Cisco FirePOWER NGIPS solution and Cisco Firepower Management Center are available for VMware platforms. They provide the same control and protection as their physical Cisco FirePOWER 8000 Series counterparts. These virtual NGIPS appliances can enable you to inspect traffic between virtual machines and combine and manage up to 25 physical and virtual appliances with a single Management Center.

Benefits

The Cisco FirePOWER 8000 Series Appliances provide purpose-built breakthrough acceleration technology with market-leading performance and greater space and energy efficiency. The series includes 11 different models that provide:

  • High-throughput – Up to an industry-leading 60 Gbps of inspected throughput
  • Modularity – Choose NetMods per throughput, port density, and media needs
  • Expandability – Pay for network interfaces as you grow
  • Scalability – Add additional processing power through appliance stacking

All Cisco FirePOWER 8000 Series Appliances include:

  • LCD management interfaces
  • Serial over Ethernet console access for remote configurations
  • Solid state disk drives for increased reliability
  • Redundant, hot-swappable power supplies

The Cisco FirePOWER NGIPS solution has been continuously recognized as a leader in the Gartner Magic Quadrant for Network IPS. And the Cisco FirePOWER 8260 Appliance received top ranking in NSS Labs’ 2012 Security Value Map for IPS security effectiveness and TCO.

Specifications at a Glance

  • IPS throughput range: 2 Gbps through 60 Gbps (11 models)
  • Modular interfaces: From 3 to 7 NetMod slots
  • Maximum concurrent connections: From 3 million to 68 million
  • Management interfaces: 10/100/1000 RJ45
  • Typical latency: Less than 150 microseconds
  • Memory (RAM): From 24 GB to 512 GB

 

FirePOWER 7000 Series

  • Designed for sales and remote offices
  • Threat inspection from 50 Mbps to 1.25 Gbps
  • 8-12 monitoring interfaces
  • Small Form-Factor Pluggable (SFP): 2 models

Threat Protection Without Compromise

If you need network security appliances to support low to mid-range network throughput requirements with multi-layered threat protection and a low total cost of ownership, Cisco has the answer. Cisco FirePOWER 7000 Series Appliances deliver industry-best threat protection as the base platform for the Cisco FirePOWER next-generation intrusion prevention system (NGIPS) solution.

Features and Capabilities

Optimized for network security processing, Cisco FirePOWER 7000 Series Appliances support a number of different inspected throughput models and network connection media. They deliver breakthrough performance with purpose-built hardware acceleration technology and are energy-efficient for a low total cost of ownership. You can deploy the appropriate security appliance for your network link and use case requirements.

With the Cisco FirePOWER NGIPS solution, the Cisco FirePOWER 7000 Series sets a new standard for advanced threat protection. It integrates real-time contextual awareness, full-stack visibility, and intelligent security automation for industry-leading security effectiveness.

The NGIPS threat protection solution is centrally managed through the Cisco Firepower Management Center and can be further expanded with optional subscription licenses to add:

Key Features

Cisco FirePOWER 7000 Series Appliances support lower network performance requirements with eight different inspected throughput models, ranging from 50 Mbps to 1.25 Gbps.

Eliminate over-buying while gaining the same standardized features and management ease as the Cisco FirePOWER 8000 Series Appliances.

Virtual Security

The Cisco FirePOWER NGIPS solution and Cisco Firepower Management Center are available for VMware platforms. They provide the same control and protection as their physical Cisco FirePOWER 7000 Series counterparts.

These virtual NGIPS appliances can enable you to inspect traffic between virtual machines (VMs) and combine and manage up to 25 physical and virtual appliances with a single Cisco Firepower Management Center.

Specifications at a Glance

  • IPS throughput range: 50 Mbps up to 1.25 Gbps (8 models)
  • Monitoring interfaces: 8 – 12
  • Management interfaces: 10/100/1000 RJ45
  • Small Form-Factor Pluggable (SFP): 2 models (7115 and 7125)
  • Typical latency: Less than 150 microseconds
  • Memory (RAM): 4 GB – 16 GB

 

NGIPSv for VMware

  • Small branch offices and remote locations
  • Threat inspection up to 800 Mbps
  • East-west data center/PCI critical servers
  • Full NGIPS and options functionality

Industry-leading threat protection. Real-time contextual awareness. Full-stack visibility. Intelligent security automation. Together they equal security you can count on when using Cisco® NGIPSv for VMware, the virtualized offering of the Cisco FirePOWERnext-generation IPS (NGIPS) solution. This highly effective intrusion prevention system provides reliable performance and a low total cost of ownership. Threat protection can be expanded with optional subscription licenses to provide Advanced Malware Protection (AMP), application visibility and control, and URL filtering capabilities. Cisco FirePOWER appliances set the industry benchmark for threat detection effectiveness, inspected throughput, and value as measured by studies conducted by NSS Labs, the world’s leading information security research and advisory company.

Benefits of a Virtualized Solution

Server virtualization brings significant business benefits. It is capable of reducing costs, enabling rapid deployment, and improving system availability. Yet implementing virtualization introduces potential security risks:

● “Blind spots” are created because changes in topology or configuration will not be detected.

● Functions are consolidated that other groups previously managed separately, such as networking or security, which can lead to configuration mistakes.

● Virtual machines (VMs) quickly propagate without adequate coordination or oversight, a problem known as VM sprawl.

Cisco NGIPSv for VMware addresses the risks posed by virtualization by enabling you to deploy Cisco’s leading NGIPS solution within your virtual environments. This virtualized NGIPS is able to inspect traffic between virtual machines and make it easier to deploy and manage NGIPS solutions at remote sites where resources may be limited, increasing protection for both physical and virtual assets.

Cisco NGIPSv for VMware Applicability

● PCI-critical servers, small branch offices, and remote locations (e.g., retail stores)

● Organizations with distributed IT security organizations

● Environments with hardware restrictions (e.g., mobile vehicles, military ships, outdoor deployments)

● Organizations with lengthy hardware certification requirements

● Environments with space constraints (little rack space remains in the data center)

● Expanded real-time network, user, and VM discovery

● Lab or training networks

● Managed security service provider or cloud computing environments

 

Firepower Threat Defense for ISR

Increase Security and Reduce WAN Costs Without Backhauling Traffic

Cisco FirePOWER Threat Defense for ISR combines the industry-leading converged branch platform, Cisco ISR, with the best-in-class threat protection from Cisco’s FirePOWER next-generation IPS. The consolidated footprint returns valuable square footage to revenue-generating assets while the FireSIGHT management console provides a clear divide on roles and responsibilities.

Today’s distributed enterprises are facing increased pressure from their branch offices for direct Internet access, over the current method of backhauling traffic through the data center to gain access. This approach may save on WAN costs, but it also forfeits the inherent threat protection a data center provides.

The enterprise-level risks that branch offices face with bring-your-own-device issues, compliance requirements, and advanced persistent threats require enterprise-level security.

Cisco FirePOWER Threat Defense for ISR includes several products and capabilities to deliver enterprise-level, integrated threat protection to extended enterprise operations in the branch, including :

  • Our FirePOWER Next-Generation Intrusion Prevention System (NGIPS) sets the standard in advanced threat protection. It integrates real-
time contextual awareness, intelligent security automation, and industry-leading threat prevention.
  • Application Visibility and Control reduces the potential surface area of attacks through granular control of thousands of applications. It enforces mobile, social, and other acceptable use policies.
  • Advanced Malware Protection (AMP) for Networks protects against sophisticated, targeted, zero-day, and persistent advanced threats. AMP continuously analyzes files and network traffic for threats that evade your first lines of defense. It provides deep visibility into the activity and behavior of the threat, then rapidly responds to and contains an active attack.
  • Reputationbased URL Filtering mitigates sophisticated client-side attacks. It controls access to more than 280 million URLs in over 80 categories, and can reduce risk from suspicious or unacceptable domains.
  • FireSIGHT Management Center is the centralized point of event and policy management for all FirePOWER Threat Defense for ISR components.

It provides visibility into everything on your network, including physical and virtual hosts, operating systems, applications, services, protocols, users, geo-location information, content, network behavior, network attacks, and malware. It can also reduce costs by streamlining operations and automating many commonly recurring security analysis and management tasks.

Note, Cisco Integrated Services Routers (ISR) Generation 2 and ISR 4000 Series only support NGIPSv on the UCE-E blade. Firepower Threat Defense (FTDv) is not officially supported.


Click Here for Ordering Information